2025-10-16 06:47:29
Wordfence
PUBLISHED
The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the cwp_addons_update_plugin_cb function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected sites server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.